Security Market Segment LS
Tuesday, 19 September 2023 10:48

Microsoft exposed 38TB of private data on GitHub: Wiz researchers Featured

By
Microsoft exposed 38TB of private data on GitHub: Wiz researchers Image by Gerd Altmann from Pixabay

AI researchers at Microsoft accidentally exposed 38TB of private data while in the process of sending live a bucket containing open-source training data, the cloud security company Wiz.io claims.

In a blog post on Monday, Wiz researchers Hillai Ben-Sasson and Ronny Greenberg said a disk back-up was among the data exposed and this included secrets, private keys, passwords, and more than 30,000 internal Microsoft Teams messages.

Wiz, a company which was set up by former Microsoft engineers, recently did a deep dive on an Azure cloud breach suffered by Microsoft and revealed several problematic issues at the core of the intrusion.

The Monday post was about an incident that occurred on 22 June. Wiz said Microsoft had shut down the bucket two days later.
Explaining what had happened, Ben-Sasson and Greenberg said the files were shared using an Azure feature called SAS tokens which allow a user to share data from storage accounts.

"The access level can be limited to specific files only; however, in this case, the link was configured to share the entire storage account — including another 38TB of private files," the two Wiz researchers noted.

"This case is an example of the new risks organisations face when starting to leverage the power of AI more broadly, as more of their engineers now work with massive amounts of training data.

"As data scientists and engineers race to bring new AI solutions to production, the massive amounts of data they handle require additional security checks and safeguards."

Ben-Sasson and Greenberg said they had come across the accidentally exposed data while scanning for misconfigured storage containers.

"In this process, we found a GitHub repository under the Microsoft organisation named robust-models-transfer," they wrote. "The repository belongs to Microsoft’s AI research division, and its purpose is to provide open-source code and AI models for image recognition."

Instructions for downloading data from the repository were provided as shown below:

github

But due to the misconfiguration, the URL provided access to the entire storage account, not just the open-source models.

"Our scan shows that this account contained 38TB of additional data – including Microsoft employees’ personal computer back-ups," the Wiz pair wrote.

"The back-ups contained sensitive personal data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees."

Apart from the wrong permissions, the token also allowed an attacker to delete or overwrite existing files.

The access level of an SAS token can be customised by a user and the use of such tokens is a security risk since information can be shared with external unidentified IDs, Ben-Sasson and Greenberg said.

They pointed out that SAS tokens had expiry problems, with there being no upper limit on expiry. In this case, the Microsoft token was set to expire in 2051.

They provided advice to security practitioners so that such issues could be avoided.

Read 2572 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here




IDC WHITE PAPER: The Business Value of Aiven Data Cloud Solutions

According to IDC, Aiven enables your teams to perform more efficiently, reduce direct infrastructure costs, and provide improved database performance, agility and scalability.

Find out how Aiven makes teams 48% more efficient, allowing staff to focus on high-value activities that drive real business results:

340% 3-year ROI – break even in 5 months (average)

37% lower 3-year cost of operations

78% reduction in staff time for database deployments

Download the IDC White Paper now

DOWNLOAD WHITE PAPER!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Published in Security
Tagged under
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Latest from Sam Varghese

Related items

More in this category: « Update from Dymocks regarding the recent data breach Thales provides external key management support for OCI »
Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top

Subscribe to Newsletter

*  Enter the security code shown:

WEBINARS & EVENTS

CYBERSECURITY

PEOPLE MOVES

GUEST ARTICLES

Guest Opinion

ITWIRETV & INTERVIEWS

RESEARCH & CASE STUDIES

Channel News

Comments